You are reading:
Under the Surface of Azeroth:
A Network Baseline and Security Analysis
of Blizzard's World of Warcraft

Upgrading the World of Warcraft Launcher

If the version check process determines that a launcher upgrade is required, a new version is downloaded via HTTP over TCP port 80 from Unlike the World of Warcraft client, the launcher is downloaded completely and replaced instead of applying minor patches. The current version of the launcher's compressed file is nearly 1,400 kilobytes, so downloading the entire launcher over slower network connections isn't a minor undertaking. Fortunately, the launcher isn't updated as much as the World of Warcraft game client.

The Bizzard Launcher is really a grouping of programs and datafiles, so the file that's downloaded during this process is a compressed archive containing all of the updated launcher files. Blizzard has their own archiving method called MPQ (named after its creator Mike O'Brian Pack), and this compression mechanism keeps the total download to a fraction of the total size.

Similar to the World of Warcraft news message-of-the-day process, the launcher upgrade process network traffic looks similar to a normal web browser request. The process begins with a three-way TCP handshake to and the HTTP GET request for the updated launcher executable:

The graphical examination of the traffic pattern is almost identical to loading the message-of-the-day, except the total amount of traffic is over 1.7 megabytes of information.

The HTTP transfer is similar to a file transfer with normal web browser, but there are some identifying marks hidden in the HTML protocol that identify the origin of this process. This is a summary of the HTML protocol from the GET command in frame 100:

    GET /update/Tools- HTTP/1.1\r\n
    User-Agent: Blizzard Web Client\r\n
    Cache-Control: no-cache\r\n

The User-Agent identified in the HTML header clearly identifies the Blizzard Web Client as the originating HTML client. This is a different browser header than the World of Warcraft Launcher, because the launcher uses the built-in workstation browser library to request the message-of-the-day. On my lab system running Windows XP with Microsoft Internet Explorer 7.0, the HTML GET command for the launcher contains this User-Agent specification:

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.04506.30)\r\n